In accordance with Payment Card Industry Data Security Standard (PCI DSS), merchants / service providers and other entities involved in payment card processing are required to undertake the following:

PCI DSS requirement 11.3.1, perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment);

PCI DSS requirement 11.3.2, perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment);

PCI DSS requirement 11.3.4, if segmentation is used to isolate the Cardholder Data Environment (CDE), perform network segmentation testing at least annually and after any changes to segmentation controls / methods. In addition, service providers starting from February 2018 will be required to undertake network segmentation testing at least every six months and after any changes to segmentation controls / methods.

PCI DSS requirement 6.6, for public-facing web applications, where a web-application firewall is not installed, a manual or automated application vulnerability security assessment (WEB Application penetration testing) is to be undertaken at least annually and after any changes.

As stated in PCI DSS, there is no need for penetration tester to be a Qualified Security Assessor (QSA) and / or Approved Scanning Vendor (ASV). The requirement is that the tests above are performed by a qualified penetration tester (e.g. having obtained certifications, such as CEH and PCIP).

All our performed PCI DSS penetration testing is undertaken by a Certified Penetration Tester (Managing Director) having more than 14 years Cyber Security Audit experience and holding professional certifications, such as Certified Ethical Hacker (CEH v8), Payment Card Industry Professional (PCIP) and Certified Information Systems Auditor (CISA), which are the most recognized certifications for penetration testing and auditing worldwide.

Please, feel free to contact us to discuss your Organization’s penetration testing requirements and get a quote.